- From: Francois Marier <francois@mozilla.com>
- Date: Thu, 07 May 2015 18:17:18 +1200
- To: public-webappsec@w3.org
On 07/05/15 06:17, Tanvi Vyas wrote: > Requiring CORS is an unfortunate constraint because web developers > cannot use SRI on all the third-party javascript embedded on their > page. They have to reach out to each third-party and ask that they set > the CORS header. Thanks for raising this Tanvi. I'm also worried about the impact that this will have on adoption. Your solution is interesting and so is Mike West's suggestion to remove cookies and auth (https://github.com/w3c/webappsec/issues/338). At the very least, we should ensure that this requirement is specified in such a way that we can remove it in the future without older clients blocking these sub-resources. Francois
Received on Thursday, 7 May 2015 06:17:51 UTC